IN-LINE CONTENT BASED SECURITY FOR DATA AT REST IN A NETWORK STORAGE SYSTEM

US 20090319772A1
Filed: 04/25/2008
Published: 12/24/2009
Est. Priority Date: 04/25/2008
Status: Abandoned Application

First Claim

Patent Images

1. A method comprising:

receiving at a network storage server a plurality of write requests from at least one storage client via a network, the plurality of write requests including data to be written;

in the network storage server, classifying and indexing the data for possible encryption, prior to committing the data to a nonvolatile mass storage facility, based on content of the data or an attribute of the data;

encrypting at least some of the data based on results of said classifying and indexing; and

committing the data to the persistent mass storage facility, such that at least some of the data is committed to the mass storage facility in encrypted form.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network storage server receives multiple write requests from a set of clients via a network and internally buffers multiple data blocks written by the write requests. At a consistency point, the storage server commits the data blocks to a nonvolatile mass storage facility. The consistency point process includes using a storage operating system in the network storage server to compress the data blocks, encrypt selected data blocks, and store the compressed and (possibly) encrypted data blocks in the nonvolatile mass storage facility. Data blocks can also be fingerprinted in parallel with compression and/or encryption, to facilitate subsequent deduplication. Data blocks can be indexed and classified according to content or attributes of the data. Encryption can be applied at different levels of logical container granularity, where a separate, unique cryptographic key is used for each encrypted logical container.

158 Citations

28 Claims

1. A method comprising:
- receiving at a network storage server a plurality of write requests from at least one storage client via a network, the plurality of write requests including data to be written;
  
  in the network storage server, classifying and indexing the data for possible encryption, prior to committing the data to a nonvolatile mass storage facility, based on content of the data or an attribute of the data;
  
  encrypting at least some of the data based on results of said classifying and indexing; and
  
  committing the data to the persistent mass storage facility, such that at least some of the data is committed to the mass storage facility in encrypted form.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. A method as recited in claim 1, further comprising:
    - compressing the data in the network storage server prior to said encrypting.
  - 3. A method as recited in claim 1, further comprising:
    - selecting one or more encryption keys to use to encrypt the data, based on content of the data.
  - 4. A method as recited in claim 1, wherein said classifying and indexing the data for possible encryption is performed in response to a write request from a storage client.
  - 5. A method as recited in claim 1, wherein said encrypting is performed in response to a write request from a storage client.
  - 6. A method as recited in claim 1, wherein said classifying and indexing the data for possible encryption is invoked by a storage manager in the network storage server.

7. A network storage server comprising:
- a network interface through which to receive write requests from a plurality of clients via a network;
  
  a storage interface through which to access a persistent storage subsystem for storing data responsive to the write requests; and
  
  a storage operating system to control data storage and management operations of the network storage server, the storage operating system includinga storage manager to control servicing of read and write requests,data classification logic to classify and index data from the write requests for possible encryption, based on content of said data, before said data is committed to the persistent storage subsystem; and
  
  encryption logic to encrypt at least some data from the write requests, based on output of the classification unit.
- View Dependent Claims (8, 9, 10, 11)
- - 8. A network storage server as recited in claim 7, further comprising:
    - compression logic to compress the data in the network storage server prior to said encrypting.
  - 9. A network storage server as recited in claim 7, wherein the encryption logic further is to select one or more encryption keys to use to encrypt the data, based on content of the data.
  - 10. A network storage server as recited in claim 7, wherein the data classification logic is invoked in response to a write request from one of the clients.
  - 11. A network storage server as recited in claim 7, wherein the encryption logic is invoked in response to a write request from one of the clients.

12. A network storage system comprising:
- a processor;
  
  a communications interface coupled to the processor; and
  
  a memory storing instructions which, when executed by the processor, cause the network storage system to perform a set of operations includingprocessing a plurality of write requests from at least one remote processing system via a network, the plurality of write requests including data to be written;
  
  in the network storage server, classifying and indexing the data for possible encryption, prior to committing the data to a persistent storage subsystem, based on content of the data;
  
  encrypting at least some of the data based on results of said classifying and indexing; and
  
  committing the data to the persistent storage subsystem, such that at least some of the data is committed to the persistent storage subsystem in encrypted form.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. A network storage system as recited in claim 12, wherein the set operations further comprises:
    - compressing the data in the network storage server prior to said encrypting.
  - 14. A network storage system as recited in claim 12, wherein the set operations further comprises:
    - selecting one or more encryption keys to use to encrypt the data, based on content of the data.
  - 15. A network storage system as recited in claim 12, wherein said classifying and indexing the data for possible encryption is performed in response to a write request from a storage client.
  - 16. A network storage system as recited in claim 12, wherein said encrypting is performed in response to a write request from a storage client.
  - 17. A network storage system as recited in claim 12, wherein said classifying and indexing the data for possible encryption is invoked by a storage manager in the network storage server.

18. A method comprising:
- receiving at a network storage server a plurality of write requests from at least one storage client via a network, the plurality of write requests including data to be written;
  
  in the network storage server, classifying and indexing the data, prior to committing the data to a nonvolatile mass storage facility, based on content of the data or an attribute of the data; and
  
  modifying a security attribute of the data based on results of said classifying and indexing.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 19. A method as recited in claim 18, wherein modifying the security attribute comprises modifying an attribute to apply a particular degree of access control to the data.
  - 20. A method as recited in claim 19, wherein modifying the security attribute comprises modifying an attribute to enforce a particular access control list.
  - 21. A method as recited in claim 18, wherein modifying the security attribute comprises modifying an attribute to alter a stringency of auditing access to the data.
  - 22. A method as recited in claim 18, wherein modifying the security attribute comprises modifying an attribute to catalog the location of the data for subsequent reporting.
  - 23. A method as recited in claim 18, further comprising:
    - committing the data to the persistent mass storage facility, such that at least some of the data is committed to the mass storage facility in encrypted form
  - 24. A method as recited in claim 18, further comprising:
    - compressing the data in the network storage server prior to said encrypting.
  - 25. A method as recited in claim 18, further comprising:
    - selecting one or more encryption keys to use to encrypt the data, based on content of the data.
  - 26. A method as recited in claim 18, wherein said classifying and indexing the data for possible encryption is performed in response to a write request from a storage client.
  - 27. A method as recited in claim 18, wherein said encrypting is performed in response to a write request from a storage client.
  - 28. A method as recited in claim 18, wherein said classifying and indexing the data for possible encryption is invoked by a storage manager in the network storage server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NetApp, Inc.
Original Assignee
NetApp, Inc.
Inventors
Singh, Ajay, Kogelnik, Christoph, Subramanian, Ananthan

Application Number

US12/110,114
Publication Number

US 20090319772A1
Time in Patent Office

Days
Field of Search
US Class Current

713/153
CPC Class Codes

G06F 21/6218 to a system of files or obj...

IN-LINE CONTENT BASED SECURITY FOR DATA AT REST IN A NETWORK STORAGE SYSTEM

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

158 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

IN-LINE CONTENT BASED SECURITY FOR DATA AT REST IN A NETWORK STORAGE SYSTEM

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

158 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links